arXiv:l502.00050V 1 [cs.DC] 31 Jan 2015 


Time-Free and Timer-Based Assumptions Can Be Combined to 
Solve Authenticated Byzantine Consensus 


Hamouma Moumen 
Departement d’informatique, 

LMA, Universite de Bejaia, 06000 Bejaia , Algeria 

hamouma.moumen@univ-bejaia.dz 


Abstract 

To circumvent the FLP impossibility result in a deterministic way several protocols have been pro¬ 
posed on top of an asynchronous distributed system enriched with additional assumptions. In the context 
of Byzantine failures for systems where at most t processes may exhibit a Byzantine behavior, two 
approaches have been investigated to solve the consensus problem.The first, relies on the addition of 
synchrony, called Timer-Based, but the second is based on the pattern of the messages that are ex¬ 
changed, called Time-Free. This paper shows that both types of assumptions are not antagonist and can 
be combined to solve authenticated Byzantine consensus. This combined assumption considers a correct 
process pi, called o2f-BW, and a set X of 2t processes such that, eventually, for each query broadcasted 
by a correct process pj of X, pj receives a response from pi £ X among the (n — t) first responses to 
that query or both links connecting pi and pj are timely. Based on this combination, a simple hybrid au¬ 
thenticated Byzantine consensus protocol,benefiting from the best of both worlds, is proposed. Whereas 
many hybrid protocols have been designed for the consensus problem in the crash model, this is, to our 
knowledge, the first hybrid deterministic solution to the Byzantine consensus problem. 


Keywords: Asynchronous distributed system, Byzantine process. Consensus, Distributed algorithm, 
hybrid protocol, time-free assumption, timer-based assumption. Fault tolerance. 


1 Introduction 

1.1 Context of the Study and Motivation 

The Consensus problem is one of the most attractive problems in the the field of asynchronous distributed 
systems. It may be used as building block to design or to implement several applications on on top of fault 
prone asynchronous distributed systems, since it abstracts several basic agreement problems. Solving the 
Consensus problem in an asynchronous distributed system where processes (even only one) may crash is 
impossibleUll. This impossibility result comes from the fact that it is impossible to distinguish a crashed 
process from a process that is slow or with which communication is slow. To overcome this impossibility, 
asynchronous distributed systems have to be enriched with additional power such as Synchrony assumptions 
CD , Common coins 1301, randomization dllD , unreliable failure detectors Q.and input vector restrictions 
im. When considering the Consensus problem in a setting where some processes can behave arbitrarily 
(Byzantine behavior), solving this problem becomes more beneficial for designers or for developers of 
applications on top of Byzantine fault prone asynchronous distributed system, but the capacity of a such 
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behavior, make this task more complex and more difficult comparatively with crash failures. This difficulty 
comes from the fact that a Byzantine process propose a wrong value and it tries to impose it on correct 
processes. 

1.2 Related Works 

To solve the consensus with deterministic way , in the context of crash failures, synchrony assumptions 
must be added ifTTIl or information about failures must be provided by a failures detectors associated with 
the processes of the system Q. A failure detector can be seen as a black box that gives (possibly incorrect) 
information about process failures. Three approaches have been investigated to implement failures detectors. 
The first, called Timer-Based, considers the partially synchronous system model Q, which is generalizes 
the model of [?], where there are bounds on the relative speed of processes and message transfer delays, but 
these bounds are not known and hold only after some finite but unknown time, called Global Stabilization 
Time (GST). The second approach, introduced in ll22l . does not assume timing assumptions about process 
speeds and communication delays. This approach, called ’’Time-Free”, is based on the pattern of messages 
that are exchanged. It considers the query-response-based winning messages proposed in Eli |28l and the 
teta-model proposed in O^ . In the third approach,called hybrid , assumptions of both approaches cited 
above are combined to implement failure detectors |[26l, 1231. 

In the context of Byzantine failure, the most of solutions for the consensus problem consider the partially 
synchronous system model where all links are eventually timely 121 |6l |9l [TOl [TtI [T^ [ill [191. In a such 
context, the notion of failure detector, originally designed for crash failures, is extended to mute failures 
I9l[l7l. A muteness failure detector provides information about processes that are silent (did not send some 
consensus protocol messages). This category is used directly in 1T311T41 to solve Byzantine consensus. 

For the classical partially synchronous models 171 [HI composed of n partially synchronous processes 
im among where at most t may crash, many models, that require only some links which have to be timely, 
have been proposed l2l[T5l|25lin contrast of the related works cited above which assume that the whole sys¬ 
tem is eventually synchronous. The system model considered in l2l assumes at least an eventual f-source. 
An eventual f-source is a correct process with t outgoing eventually timely links (processes communicate 
using point-to-point communication primitives). On the other hand, the system model considered in l25l as¬ 
sumes a broadcast communication primitive and at least one correct process with t bidirectional but moving 
eventually timely links. These two models are not comparable |[T5l . In such a context, El proved that an 
t-source (eventual f-source) is necessary and sufficient to solve consensus which means that it is not possible 
to solve consensus if the number of eventually timely links is smaller than t or if they are not outgoing links 
of a same correct process. 

For the second approach li22l . used to implement the failure detectors defined in El> where the are no 
eventual bounds on process speeds and communication delays (Message Pattern), ll23l proposed a leader 
protocol with very weak assumption on the patten of messages that are exchanged. This protocol assumes 
a correct process pi and a set Q, possibly contains crashed processes, of t processes (with p 3 Q) such 
that, each time a process pj € Q broadcasts a query, it receives a response from pi among the first (n — t) 
corresponding responses (such a response is called a winning response). The two previous approaches (ot- 
source and Message Pattern) are combined , in Ell> to obtain an eventual leader protocol. This combined 
assumption considers a star communication structure involving (f -|- 1) processes (these t + 1 processes can 
differ from a run of the system to another run) and is such that each of its t links can satisfy a property 
independently of the property satisfied by the t — 1 other links. 

In the context of Byzantine consensus where t processes can exhibit an arbitrary behavior, Aguilera et 
al. El propose a system model with weak synchrony properties that allows solving the consensus problem. 
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The model assumes at least an obisource (eventual bisource). An obisource is a correct process with all 
its outgoing and incoming links eventually timely. This means that the number of eventually timely links 
could be as low as 2(n — 1) links. Their protocol does not need authentication and consists of a series of 
rounds each made up of 12 communication steps and Q{n^) messages. In fIM Moumen et al. proposed 
a system model that considers an eventual bisource with a scope of 2t. The eventual bisource assumed 
by 111 has the maximal scope (x = n.l). An eventual 2f-bisource (o2f-bisource) is a correct process 
where the number of privileged neighbors is 2t where t is the maximum number of faulty processes. Their 
protocol needs authentication and consists of a series of rounds each made up of 5 communication steps 
and messages. In |[20l . Moumen and Mostefaoui propose a weak system model that does not rely on 

physical time but on the pattern of messages that are exchanged. This model is based on the query-response 
mechanism and assumes at least an o2t-winning process (eventual 2twinning process). An o2f-winning is 
is a correct process where the number of privileged neighbors is 2t , such that eventually, for each query 
broadcasted by any of its privileged neighbors , any of its privileged neighbors receives a response from the 
o2f-winning process among the (n — t) first responses to that query. Their protocol needs authentication 
and consists of a series of rounds each made up of 5 communication steps and Q.{n?‘) messages. Note 
that this assumption does not prevent message delays from always increasing without bound. Hence, it is 
incomparable with the timer-based o2f-bisource assumption. 

1.3 Contribution of the Paper 

The two previous approaches (Timer-Based and Time-free) have been considered both in the case of crash 
failures and Byzantine failures , but they have never been combined in the case of Byzantine faults. This 
paper shows that timer-based and Time-Free assumptions can be combined and proposes a system model 
where processes are partially synchronous and the communication model satisfies the requirements of the 
combined assumption. This combined assumption consider a correct processes pi, called o2f-BW (B for 
Bisource and W for Winning), and a set X of 2t processes (some processes may be Byzantine), such that 
,eventually, for each query broadcasted by a correct process pj of X, pj receives a response from pi ^ X 
among the (n — t) first responses to that query or both links connecting pi and pj are timely. In the case one 
all links that connect pi with processes of X then the pi is a o2f-bisource, but in the case one all processes 
of X receives the response of pi among the (n — t) response for each query that have broadcasted, then pi 
is o2f-winning process. 

For the assumed model, a simple hybrid authenticated Byzantine consensus protocol, benefiting from 
the best of both worlds, is proposed. To our knowledge, this is the first protocol that combines between 
Timer-Based and Time-Free Assumptions to solve authenticated Byzantine consensus. 

1.4 Organization of the Paper 

The paper is made up of six sections. Section 2 presents the basic computation model and the Consensus 
problem. Then, Section 3 presents the consensus protocol, with a o2f-BW, we propose and Section 4 proves 
its correctness.Finally, Section 5 concludes the paper. 
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2 Basic Computation Model and Consensus Problem 

2.1 Asynchronous Distributed System with Byzantine Process 

We consider a message-passing system consisting of a finite set If of n (n > 1) processes, namely, If = 
{pi,... ,Pn}- A process executes steps (send a message, receive a message or execute local computation). 
Value t denotes the maximum number of processes that can exhibit a Byzantine behavior. A Byzantine 
process may behave in an arbitrary manner. It can crash, fail to send or receive messages, send arbitrary 
messages, start in an arbitrary state, send different values to different processes, perform arbitrary state 
transitions, etc. A correct process is one that does not Byzantine. A faulty process is the one that is not 
correct. 

Processes communicate and synchronize with each other by sending and receiving messages over a 
network. The link from process p to process q is denoted p ^ q- Every pair of process is connected by 
two links p ^ q and q ^ p. Links are assumed to be reliable: they do not create, alter, duplicate or lose 
messages. There is no assumption about the relative speed of processes or message transfer delays. 

2.2 An authentication mechanism 

In order to deal with the power of Byzantine processes. We assume that an authentication mechanism is 
available. A public key cryptography such as RSA signatures lOTI is used by a process to verify the original 
sender of the message and to force a process to relay the original message received. In our authenticated 
Byzantine model, we assume that Byzantine processes are not able to subvert the cryptographic primitives. 
To prevent a Byzantine process to send different values to different processes, each message has to carry 
a value and the set of (n — t) values received by a process during the previous step. The included signed 
values can be used by a receiving process to check whether the value sent by any process complies with the 
values received at the previous step. This set of signed values is called certificate and its role is to prove to 
the receiver that the value is legal. 

To ensure the message validity, each process has an underlying daemon that filters the messages it 
receives. For example, the daemon will discard all duplicate messages (necessarily sent by Byzantine pro¬ 
cesses as we assume reliable send and receive operations between correct processes). The daemon, will also 
discard all messages that are not syntactically correct, or that do not comply with the text of the protocol. 

2.3 A Time-Free Assumption 

Query-Response Mechanism In this paper, we consider that each process is provided with a query- 
response mechanism. More specifically, any process p can broadcast a QUERY () message and then wait 
for corresponding RESPONSE () messages from (n — t) processes. Each of this RESPONSE () messages 
is a winning response for that query, and the corresponding sender processes are the winning processes for 
that query. The others responses received after the (n — t) RESPONSE () messages are the losing responses 
for that query, and automatically discarded. A process issues a new query only when the previous one has 
terminated (the first (n — t) responses received). Finally, the response from a process to its own queries is 
assumed to always arrive among the first (n — t) responses that is waiting for. 

Henceforth, we reuse the definition of ll^ l26l |23l HH to define formally a winning link, an x- winning. 

Definition 1 Let p and q be two processes. The link p ^ q is eventuaiiy winning (denoted oWL) if there is 
a time r such that the response from p to each query issued by q after r is a winning response (t is finite but 
unknown). 
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Definition 2 A process p is an x-winning at time t if p is correct and there exists a set X of processes of 
size X, such that: for any process q in X, the link p ^ q is winning. The processes of X are said to be 
privileged neighbors ofp. 

Definition 3 A process p is an ox-winning if there is a time r such that, for all t' > t, p is an x-winning at 
t'. 

2.4 A Timer-Based Assumption 

Hereafter, we rephrase the definition of ifTSl to define formally a timely link and an x- bisource. 

Definition 4 A link from a process pi to any process pj is timely at time r if (1) no message sent by pi at 
time T is received at pj after time (t + 6) or (2) process pj is not correct. 

Definition 5 A process pi is an x-bisource at time r if: 

- (1) Pi is correct 

- (2) There exists a set X of processes of size x, such that: for any process pj in X, both links from pi to pj 
and from pj to pi are timely at time t. The processes of X are said to be privileged neighbors ofpi. 

Definition 6 A process pi is an ox-bisource if there is a time r such that, for all t ' > t , pi is an x-bisource 
at t ' . 

2.5 Combining Time-Free and Timer-Based Assumptions 

Definition 7 A process pi is an ox-BW at time r if: 

- (1) There exists a set Y of processes of size y and a set Z of processes of size z such that, y n Z = 0 and 
y -\- z = x 

- (2) There is a time t such that, for all t' > r, pi is an y-bisource and an z-winning at the same time t'. If 
y = 0 then pi is an x-winning and iflfz = 0 then pi is an x-bisource. 

For the rest of the paper, we consider an asynchronous distributed system where the only additional 
assumptions are those needed by the ox-BW. 

2.6 The Consensus Problem 

We consider the multivalued consensus problem, where there is no bound on the cardinality of the set of 
proposable values. In the multivalued consensus problem, every process pi proposes a value v and all correct 
processes have to eventually decide on a single value among the values proposed by the processes. 

Formally, the consensus problem is defined by the following three properties: 

Let us observe that, in a Byzantine failure context, the consensus definition should not be too strong. For 
example, it is not possible to force a faulty process to decide the same value as the correct processes, since a 
Byzantine process can decide whatever it wants. Similarly, it is not reasonable to decide any proposed value 
since a faulty process can initially propose different values to distinct processes and consequently the notion 
of “proposed value” may not be defined for Byzantine processes. Thus, in such a context, the consensus 
problem is defined by the following three properties: 

• Termination: Every correct process eventually decides. 
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• Agreement: No two correct processes decide different values. 

• Validity: If all the correct processes propose the same value v, then only the value v can be decided. 


3 An Authenticated Byzantine Consensus Protocol With o2i-BW 

Figure [Upresents an authenticated Byzantine consensus protocol in asynchronous distributed system where 
the only additional assumptions are those needed by the ox-BW. The principle of the proposed protocol is 
similar to those that have been proposed in |[20l |24l except the coordination phase at the beginning of each 
round. Each process pi executes the code of the protocol given by Figure [T] This protocol is composed of 
three tasks : a main task (Tl), a coordination task {T2), and a decision task (TS). 

before executing the first round (r = l),each process pi keeps its estimate of the decision value in a local 
variable esti and starts by the init phase in order to guarantee the validity property.In this phase, each process 
Pi sends iNlT(uj) message , that containing its estimate, to all processes.If pi receives at least (n — 2t) INIT 
messages for v then it change its estimate to v, else it keeps its own estimate. After this phase, the protocol 
proceeds in consecutive asynchi'onous rounds. Each round r is composed of four communication phases 
and is coordinated by a predetermined process pc (linelUl. 

First phase of a round r (lines (SHU). Each process that starts a round ((including the coordinator of the round) 
first sends its own estimate (with the associated certificate) to the coordinator (pc) of the current round and 
sets a timer to (Aj[c]). 

In a separate task r2[r]flinel2T]). Each time a process receives a valid QUERY message (perhaps from 
itself) containing an estimate est, it sends a RESPONSE message to the sender. If the process that responds to 
a query message is the coordinator of the round to which is associated the query message, the value it sends 
in the RESPONSE message is the coordination value. If the process that responds is not the coordinator, it 
responds with any value as the role of such a message is only to define winning links, as the reader can find 
it in lines I22ll2^ the value sent by the coordinator is the value contained in the first valid query message of 
the round it coordinates. 

In the main task at line [6l a process pi waits for the response from pc (the coordinator of the round) or 
for expiration of the timer of pc ( Aj[c]) and for (n — t) responses from others processes. In the latter case, 
process pi is sure that pc is not the o2f-BW as its response is not winning and its link with pi is not timely. 
If a process pi receives a response from the coordinator then it keeps the value in a variable auxi otherwise 
it sets auxi to a default value _L(this value cannot be proposed). If the timer times out while waiting for 
the response from pc. A* [c] is incremented and pi considers that its link with pc is not eventually timely 
or Pc is Byzantine or the value Aj[j] is not set to the right value. As Aj[c] is incremented each time pcS 
responses misses the deadline, it will eventually reach the bound on the round trip between pi and pc if the 
link between between them is timely. 

If the current coordinator is a o2f-BW then at least (f + 1) correct processes will get the value v of the 
coordinator and thus set their variable aux to v (/ _L). The next phases will serve to propagate this value 
from the {t + 1) correct processes to all correct processes. Indeed, among the 2t privileged neighbors of the 
current coordinator at least t are correct processes and all of them will receive the value of the coordinator . 
If the current coordinator is Byzantine, it can send nothing to some processes and/or perhaps send different 
certified values to different processes . If the current coordinator is not a o2f-BW or if it is Byzantine, the 
three next phases allow correct processes to behave in a consistent way. Either none of them decides or if 
some of them decides a value v despite the Byzantine behavior of the coordinator, then the only certified 
value for the next round will be v preventing Byzantine processes from introducing other values. The aim 
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of the first phase is that if the coordinator is an o2f-BW then at least (t+1) correct process will get its value 
at the end of line|7] 

Second phase of a round r (lines iQlfTTl). During the second phase, all correct processes relay, at line|9j either 
the value they received from the coordinator (with its certificate) or the default value _L if they timed out 
and they received (n — t) RESPONSE messages from others processes. Each process collects (n — t) valid 
messages and stores the values in a set Vi (line|9ll. At line|9j if the coordinator is correct only one value is 
valid and can be relayed. 

Moreover , if the current coordinator is a o2f-BW then any correct process pi will get in its set Vi at least 
one copy of the value of the coordinator as among the (f + 1) copies sent by the (t + 1) correct processes 
that got the value of the coordinator a correct process cannot miss more than t copies (recall that a correct 
process collect (n — t) valid messages). If the coordinator is not a o2t-BW or if it is Byzantine, some 
processes can receive only + values, others may receive more than one value (the coordinator is necessarily 
Byzantine in this case) and some others can receive a unique value. This phase has no particular effect in 
such a case. The condition (Vi — {+} = {u}) of line fTT] means that if there is only one non-+ value v in 
Vi then this value is kept in auxi otherwise, auxi is set to +. The aim of this second phase is that if the 
coordinator is an o2f-BW then all the correct processes will get its value. 

Third phase of a round r (lines [T2]fT4b .This phase is a filter; it ensures that at the end of this phase, at most 
one non_+ value can be kept in the aux variables in the situations where the coordinator is Byzantine. If 
the coordinator is correct, this is already the case. When the coordinator is Byzantine two different correct 
processes may have set their auxi variables to different values. This phase consists of an all-to-all message 
exchange. Each process collects (n — t) valid messages the values of which are stored in a set V^. If all 
received messages contain the same value v (Vi = {u}) then v is kept in auxi otherwise auxi is set to the 
default value +. At the end of this phase, there is at most one (or none) certified value v (/ +). 

Fourth phase of a round r (lines [TSlfT^ . 

This phase ensures that the Agreement property will never be violated. This prevention is done in the 
following way. If a correct process pi decides v during this round then if some processes progress to the next 
round, then v is the only certified value. In this decision phase, a process pi collects (n — t) valid messages 
and store the values in V^. If the set of a process pi contains a unique non_+ value v, pi decides v. Indeed 
among the (n — t) same values v received by pi, at least n — 2t have been sent by correct processes. As 
(n — t) + (n — 2t) > n any set of (n — t) valid signed messages of this phase includes at least one value 
V. Hence, all processes receive at least one value v (the other values could be v or +) and the only certified 
value for the next rounds is v. This means that during the next round (if any) no coordinator (whether correct 
or Byzantine) can send a valid value different from v. 

If during the fourth phase, a process pi receives only + values, it is sure that no process can decide 
during this round and thus it can keep the value it has already stored in esti (the certificate composed of the 
(n — t) valid signed messages received during phase four containing + values, allow pi to keep its previous 
values esti). 

Before deciding (line [17]), a process first sends to all other processes a signed message DEC that contains 
the decision value (and the associated certificate). This will prevent the processes that progress to the next 
round from blocking because some correct processes have already decided and stopped sending messages. 
When a process pi receives a valid DEC message at line|24l it first relays is to all other processes and then 
decides. Indeed, task is used to implement a reliable broadcast to disseminate the eventual decision value 
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preventing some correct processes from blocking while others decide. 


4 Correctness of the protocol 

Lemma 1 If tow corrects processes pi and pj decide v and v', respectively, then v = v'. 

Proof The proof is by contradiction. Suppose that pi and pj decide v and v', respectively, such that v 7 ^ v'. 
This means that v appears at least (n — t) times in Vi and v' also appears at least (n — t) times in Vj at line 
M This means that |Ti| ^ 2^77. — tf Since, the correct processes send (according to the 

protocol) the same message to both processes and the t Byzantine processes can send different messages to 
them, we have |Vi| + |Vj| < {n — t) + 2t = (n + t). This leads to (n + f) > 2(n — t) i.e. n < 3t a 
contradiction as we assume n > 3t. 


Lemma 2 If a correct process pi decides u 7^ _L during a round r , then all correct processes start the next 
round with the same estimate v if they have not deciding. 

Proof Let us first note that if any correct process decides on the value u 7^ _L at the round r then all correct 
processes, that have not decided, set their estimates to v because each of these processes receives at line |22] 
at a least one FlLT 2 (rj,aux) message carrying the value v. Moreover, all correct processes start a round 
r + 1 with the same estimate v. 

The proof is by contradiction. Suppose that a correct process pi decides u at a round r (line [TT]) and a 
correct process pj has not decided at this round and sets own estimate to v' 7^ v. This means that the set Vj 
of Pj contains only values different to v. By assumption, the value v, appears in Vi at least (n — t) times 
because it has decided. As there are t Byzantine processes, v is received by pi at least (n — 2t) times from 
correct processes. From these {n — 2t) messages for pi at most t are loosed by pj, because it wait for (n — t) 
messages at (line [Thll . From this, we can conclude that Vj contains at least (n — 3t) > times the value v 
(n > 3t). Moreover, pj sets its estimate to u . A contradiction. 


Corollary 1 If a correct process pi decides a certified value v during a round r, then only v can be decided 
in the same or in subsequent rounds. 

Proof Let us consider that a process pi decides a value u in a round r. If a correct process pj decides at the 
same round r then, by lemma [H it decides the same value v decided by pi. If a correct process pj does not 
decide at the same round r then, by lemma |2j all correct processes start the next round r + 1 by the same 
estimate value v decided by pi at a round r.Indeed, in the latter case, v will be the only certified value as 
even _L is nof certified as a cerfificafe for fhe value fhaf will be used during fhe nexf round is composed by a 
sef of (n — t) messages as we said above fhaf any such sef includes af leasf one value v. From now on, fhe 
only value fhaf can be exchanged is v and only v can be decided 

^ Corollarv\T\ 


Theorem 1 (agreement) No two correct processes decide differently. 

Proof If a correcf process decides af line [24l if decides a certified value decided by anofher process. Lef us 
consider fhe firsf round where a process decides af line[T7] By Corollary ??,if a process decides a certified 


Function Consensus(wi) 

Init: ri •<— 0; •<— 1; 

TaskTl: % basic task % 

-init phase- 

(1) send INIT(t;i) to all; 

(2) wait until ( init messages received from at least (n — t) distinct processes ); 

(3) if (3v : received at least (n — 2t) times ) then esti v else esti •<— Vi endif; 

repeat forever 

(4) c <— (vi mod n) + 1; •<— ri + 1; 

-round n - 

(5) send QUERY(ri, esti) to all; set_timer(Ai[c]); 

(6) wait until ( RESPONSE(ri, est) received frompc ) 

or ( time-out and (RESPONSE(ri, est) received from (n — t) distinct processes ); 

(7) if RESPONSE(ri, est) received from pc then auxi ^ est else auxi <— _L; 

(8) if (timer times out)) then Ai[c] <— Ai[c] + 1 else disableJimer endif ; 

(9) send RELAY(ri, auxt) to all; 

(10) wait until ( RELAY(ri, >i=) received from at least (n — t) distinct processes) store values in Vi; 

(11) if (Fi - {_L} = {r}) then auxi ■<— V else auxi ■<— ± endif; 

(12) send FILTl(ri, awii) to all; 

(13) wait until ( FILTl(ri, received from at least (n — t) distinct processes) store values in Vi\ 

(14) if (Vi = {-y}) then auxi V else auxi <— _L endif; 

(15) send FILT2(ri, auXi) to all; 

(16) wait until ( FILT2(ri, *) received from at least (n — t) distinct processes) store values in Vi; 

(17) case (Vi = {«}) then send dec (n) to all; return(n); 

(18) (Vi = {n,_L}) then esti •<— v; 

(19) endcase; 


end repeat 

Task r2[r]: % Query-response coordination task - There is one such task per round r % 

(20) c.esti •<— _L 

(21) upon receipt of QUERY(r, esf) fromp^; 

(22) if Pi is the coordinator of the round r and c.esti -l— ± then C-esti <— est\ 

(23) send RESPONSE(ri, c_esti) to pj 

Task r3: 

(24) upon receipt of DEc(est): send DEC(est) to all; return(esf); 


Figure 1: An Authenticated Byzantine Consensus Protocol With o2t-BW 
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value during the same round, it decides the same value. If a process decides after receiving a DEC message 
at line [24] it decides the same value. Any process that starts the next round with its local variable esti / v 
will see its messages rejected (no value different from v can be certified). ^Theorem^ 


Lemma 3 If no process decides during a round r' < r, then all correct processes start round r + 1. 

Proof Let us first note that a correct process cannot be blocked forever in the init phase. Moreover, it cannot 
be blocked at line[6|because of the time-out and at least (n — t) processes respond to QUERY messages. 

Suppose that no process has decided a value v during a round r' < r, where r is the smallest round 
number in which a correct process pi blocks forever. The proof is by contradiction. 

By assumption, pi is blocked at lines [TOl [T^ or [T6l 

Let us first examine the case where pi blocks at line [TOl which is the first statement of round r where 
a process can block forever. This means that at least (n — t) correct processes eventually execute line |9j 
because processes are partially synchr'onous. Consequently as communication is reliable between correct 
processes the messages sent by correct processes will eventually arrive at pi that blocks forever at line [TO] 
The cases where pi blocks at line [T%r[T^ are similar to this first case. It follows that if pi does not decide, 
it will proceed to the next round. A contradiction. Lemma |3| 


Theorem 2 (termination) If there is a o2t-BW in the system, then all correct processes eventually decide. 

Proof As the protocol uses authentication, if some process receives a valid DEC message, it can decide even 
if the message has been sent by a faulty process. Recall that a Byzantine process cannot forge a signature. 
If a correct process decides at line [JT] or at line [24| then, due to the sending of DEC messages at line [17] 
or line [24l respectively, prior to the decision, any correct process will receive such a message and decide 
accordingly fline[24l). 

So, suppose that no correct process decides. The proof is by contradiction. By hypothesis, there is a time 
T after which there is a process px that is a o2f-BW. Eet pj be a correct process and one of the 2t privileged 
neighbors of px- Eet r be the first round that starts after r and that is coordinated by px- As by assumption 
no process decides, due to Eemma[3l 

All correct processes pi (and possibly some Byzantine processes) start round r and send a valid QUERY 
message to px (line [Sjl. This QUERY message contains a value est which is the estimate of process pi. 
When the coordinator px of round r receives the first QUERY message fline[2T]) possibly from itself, it sets 
a local variable c-cstx to the valid value contained in the message. Then each time process px receives a 
QUERY message related to this round (r), it sends a RESPONSE message to the sending process. If we 
consider any correct process pi privileged neighbor of px, the RESPONSE message from px the coordinator 
to the QUERY message of pi will be received by pi among the first n — t responses because the link between 
Pi and Px is winning or the RESPONSE message from px will be received by pi before expiration of Aj[x] 

, because the link between pi and px is timely fline[2T[). 

In the worst case, there are t Byzantine processes among the 2t + 1 privileged neighbors of px- A 
Byzantine process can either relay the value of px {t Byzantine processes, t correct processes and itself). 
During the next phase,a Byzantine process can either relay the value of px or relay _L arguing that Ai[x] has 
expired and it did not receive the response of px among the first (n — t) RESPONSE messages (the value of 
Px and _L are the only two valid values for this round). This allows to conclude that the value v sent by px 
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the coordinator of the present round is relayed at line |9ll by, at least, the t + \ correct processes with which 
Px has timely or winning links (the only other possible value is _L). 

During the third phase (lines [T2lfT4l) . as the value v of px is the only certified value , all the processes 
that send a certified message at line [12] . This allows to conclude that all processes will have to set their 
variables aux variable to v (linefTdt. By the same way, all processes that send certified messages at line [15] 
will send v. From there we can conclude that correct processes will all decide at line[T7l which proves the 
theorem. ^TheorenM 


Theorem 3 (Validity) If all correct processes propose v, then only v can be decided. 

Proof Let v be the only proposed value by correct processes at line[T] Since all correct processes propose v, 
V is sent at least (n — t) times at line[T] Since processes receive at least (n — t) values from distinct processes, 
we can conclude that at a line [3] the values v is received at least (n — 2t) times by any correct processes. 
Moreover, any value proposed by Byzantine processes will be received at most t times. As re > 3t, we 
have t < n — 2t. Consequently, the only certified value is v. This means that all correct processes set their 
variable est to v. 

^T/ieorem [3l 


5 Conclusion 

This paper has shown that timer-based assumption and time-free assumption can be combined to solve au¬ 
thenticated Byzantine consensus in asynchr'onous distributed systems. It has presented the first deterministic 
authenticated Byzantine protocol that benefiting from the best of both worlds. This combined assumption 
considers a correct process pi, called o2f-BW, and a set X of 2t processes such that,eventually, for each 
query broadcasted by a correct process pj of X, pj receives a response from pi £ X among the (re — t) 
first responses to that query or both links connecting pi and pj are timely. The proposed protocol has very 
simple design principle and it provides an assumption coverage better than the one offered by any protocol 
based on a single of these assumptions. In favorable setting, the proposed protocol can reach decision in 
only 6 communication steps and needs only f2(re^) messages in each step. The major contribution of this 
paper is to show that Byzantine Consensus is possible with a very weak hybrid additional that satisfying the 
properties required by a o2f-BW . 
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